From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id EkIMMW+dOmGjCwAAgWs5BA (envelope-from ) for ; Fri, 10 Sep 2021 01:49:03 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 8EtHLG+dOmHzQwAA1q6Kng (envelope-from ) for ; Thu, 09 Sep 2021 23:49:03 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id EEDE548B for ; Fri, 10 Sep 2021 01:49:02 +0200 (CEST) Received: from localhost ([::1]:55174 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mOTmv-0004xK-7K for larch@yhetil.org; Thu, 09 Sep 2021 19:49:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50616) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mOTjb-0002jM-G8 for guix-devel@gnu.org; Thu, 09 Sep 2021 19:45:37 -0400 Received: from lepiller.eu ([89.234.186.109]:55622) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mOTjX-0004AY-JW for guix-devel@gnu.org; Thu, 09 Sep 2021 19:45:33 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id e2331374 for ; Thu, 9 Sep 2021 23:45:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date:from :to:subject:message-id:mime-version:content-type :content-transfer-encoding; s=dkim; bh=gX4F5kdvu1w8rwaHhQCWIe9xb DZMpz4x4lZHuu2+kxY=; b=L9HUEsYPn5OgfQILINHVomuRvDx+dks7sDSRs/9R2 vgSIzodVSC3D+/UtddHQ1aknC2a1VB85IuBie76xnsz24V3jv38ZtUoSfs6Dnnl8 yV/ypXhq6DWyLf4Z5nty5ZRQJWnADiYEOxiWxpTKQwe/9M71b+QTJphwRq1sJlId lHiEtIj0fC96DMKJly4llnenhWV4y29KyfUahZLTte20UPFoNSmvkwsEfHLfJUU/ 5U+SIS23LBss8sJIBG2SJzYv3DzdZUEWKngBhRjiWPYqjFRi3M0oAglJqlJvKk30 3YPcAWa33oGmRnHYQbROSSzr/bzVt7UDhdxMSIULX13yQ== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id dd30758e (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Thu, 9 Sep 2021 23:45:19 +0000 (UTC) Date: Fri, 10 Sep 2021 01:45:04 +0200 From: Julien Lepiller To: guix-devel@gnu.org Subject: Sniping "guix deploy" Message-ID: <20210910014504.77da1263@tachikoma.lepiller.eu> X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=89.234.186.109; envelope-from=julien@lepiller.eu; helo=lepiller.eu X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1631231343; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=gX4F5kdvu1w8rwaHhQCWIe9xbDZMpz4x4lZHuu2+kxY=; b=ibZjAvmf+chpY2amuk0SS086YnAn0zjaWbjvpam44HKa/b9gzu9+MEMqyzzHNkmobVeFmy S7KfibT2UHx+4j7Evcw7QJ3WfsDFs8mVg109djeWoYlfVHJvDKCEFZIx+vSWVsjI+GADCJ 93OFIpq/6wYYXhAls7hL3c7aaVIpDUPtot1E9XkCNopuwqpuUAZTDRLvMMzp91WH7vNDCT w/jykXWWnsKNi9NLOvekqndPvyCECXa8daj3pp74FsnEF3OyptQoLVhvzjZKvd2r8t6PA+ db+zgG1yAYlzk0fKAUSvDkZNh6K1h1QzdX+WEK+DUgSMv995WRV7x+BPoDrGHw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1631231343; a=rsa-sha256; cv=none; b=PRpnhk2dKwDR1HfvQNXI/zQDfDp/5bNrZkNUt+TtZMya81BR15RVXBQON9o7WUED2B43pq UJW0Uqp3R3VHGxIVR0Zu2JFg1NqxP50n+UYKrQaVZi8m6PSKbAICGmlFg1NCsUBeCQVz3u MrY/MT5hKjj8djwiJl8fhHnRITlH/fhw0r78fQjG0ZSyNnQze6CscssE5s9KjSQOghw6or DPLmK7xDiIOX8e7WdTixM9sRfEonAfE2UNmjk6KOoDLfBayjTu/YKr/XdEwrHNLeet2Tpa LTg3ZH3+r6jLVmDoZriQB9w02ns+FXwyLl0Ug2wTpCU1SVXYlrzAjIuyisGQxQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=lepiller.eu header.s=dkim header.b=L9HUEsYP; dmarc=pass (policy=none) header.from=lepiller.eu; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.11 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=lepiller.eu header.s=dkim header.b=L9HUEsYP; dmarc=pass (policy=none) header.from=lepiller.eu; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: EEDE548B X-Spam-Score: -3.11 X-Migadu-Scanner: scn0.migadu.com X-TUID: L5pp5NUsbuIU Hi guix! A few months ago, I published a paper on "Analyzing Infrastructure as Code to Prevent Intra-update Sniping Vulnerabilities" (https://lepiller.eu/pdf/hayha-extended.pdf) (and the tool: https://github.com/roptat/hayha). Although in the paper we focus on cloudformation and AWS, I believe the same kind of issues can be found in any cloud or IaC toolings, such as guix deploy. To give you a concrete example, imagine the following situation. Not very realistic, but I hope it gets the point across. You manage your local network with guix deploy, and it contains a router and a web server. Imagine you want to update the web server's config to add an ssh service that listens for root and logs you in with no password. You are aware this is a security risk, but you trust your local network, so you also update the router's configuration to add a firewall rule blocking any SSH attempt from the outside. Unfortunately, although each system is updated atomically (although, services are not reloaded atomically), the infrastructure is not. It could be the case that the server is updated first, exposing root login to the internet, for as long as the router is not updated, hence the name "sniping". I think this is a serious threat, despite the silly example, as the attacker only needs to be there at the right time, with no specific knowledge or technique. In the example, any bot would soon discover the root login and maybe take automated actions to retain access. However, it is also an inherent security issue to this type of tools (and you could also very well mess up manually), so it's not clear to me what to do. Possible mitigations rely on user's awareness of the potential issue. In the previous example, we would need to update the router first, and only update the server once the router is updated. For a roll-back (resetting the firewall and removing ssh access), the other order is required. In other IaC tools, there is at least a way to describe dependencies between systems/services. I think we should at least implement such a feature in Guix too. As a rule of thumb, when you update multiple systems and one system provides security for another, you should update the security system before the protected system if you restrict access, and the other way around if you allow more access. Maybe we could add that to the manual, in addition to letting users configure upgrade order? In our paper, we were able to see that because Cloudformation has explicit "references" between systems. It's also more of an issue in Cloudformation, since you declare only small independent components and not whole systems (security resources are always separate from the resources they protect). There might be a way to improve guix language to force using references between systems, which would allow us to adopt a similar solution to what we propose in the paper. Or maybe it's time to advocate for "immutable infrastructure" :) Wdyt?